shithub: sirjofri

--- a/pub/changeblog.plain.xml

+++ b/pub/changeblog.plain.xml

@@ -8,62 +8,62 @@

 <rights>© Copyright 2020 sirjofri</rights>

 <id>https://sirjofri.de/</id>

 <title>changeblog</title>

-<updated>2020-12-15T11:21:42+01:00</updated>

+<updated>2020-12-15T11:24:57+01:00</updated>

 <entry>

 	<title>Restrict RCPU User Access to Groups</title>

 	<id>https://sirjofri.de/changeblog/1596011563/</id>

 	<link href="https://sirjofri.de/changeblog/1596011563/"/>

 	<updated>2020-07-29T10:32:43+02:00</updated>

-	<content type="text">

- Restrict RCPU User Access to Groups

-This is how to restrict user access to groups. You can use this to enable rcpu access for all users of a spe-

-cific group. All other groups will not be allowed.

-To allow access only to sys group members: adjust your /rc/bin/service/tcp17019

- #!/bin/rc

- userfile=/adm/users

- fn useringroup{

-  grep $1 $userfile | {

-  found=0

-  while(~ $found 0 &amp;&amp; line=`:{read}){

-  if(~ $line(2) $2){

-  found=1

-  }

-  }

-  if(~ $found 1)

-  status=''

-  if not

-  status='not found'

-  }

- }

- if(~ $#* 3){

-  netdir=$3

-  remote=$2!`{cat $3/remote}

- }

- fn server {

-  ~ $#remote 0 || echo -n $netdir $remote &gt;/proc/$pid/args

-  rm -f /env/'fn#server'

-  . &lt;{n=`{read} &amp;&amp; ! ~ $#n 0 &amp;&amp; read -c $n} &gt;[2=1]

- }

- exec tlssrv -a /bin/rc -c 'useringroup $user sys &amp;&amp; server'

-This checks if the user is in group sys and only then calls the server function. Otherwise the connection

-is terminated.

-This is especially useful if you want a CPU server to expose filesystems and have cpu access for adminis-

-trators only.

+	<content type="text">

+ Restrict RCPU User Access to Groups

+This is how to restrict user access to groups. You can use this to enable rcpu access for all users of a spe-

+cific group. All other groups will not be allowed.

+To allow access only to sys group members: adjust your /rc/bin/service/tcp17019

+ #!/bin/rc

+ userfile=/adm/users

+ fn useringroup{

+  grep $1 $userfile | {

+  found=0

+  while(~ $found 0 &amp;&amp; line=`:{read}){

+  if(~ $line(2) $2){

+  found=1

+  }

+  }

+  if(~ $found 1)

+  status=''

+  if not

+  status='not found'

+  }

+ }

+ if(~ $#* 3){

+  netdir=$3

+  remote=$2!`{cat $3/remote}

+ }

+ fn server {

+  ~ $#remote 0 || echo -n $netdir $remote &gt;/proc/$pid/args

+  rm -f /env/'fn#server'

+  . &lt;{n=`{read} &amp;&amp; ! ~ $#n 0 &amp;&amp; read -c $n} &gt;[2=1]

+ }

+ exec tlssrv -a /bin/rc -c 'useringroup $user sys &amp;&amp; server'

+This checks if the user is in group sys and only then calls the server function. Otherwise the connection

+is terminated.

+This is especially useful if you want a CPU server to expose filesystems and have cpu access for adminis-

+trators only.

 </content>

 </entry>

@@ -72,35 +72,35 @@

 	<id>https://sirjofri.de/changeblog/1594885496/</id>

 	<link href="https://sirjofri.de/changeblog/1594885496/"/>

 	<updated>2020-07-16T09:44:56+02:00</updated>

-	<content type="text">

- lib/profile quick hack

-Some smaller change that can change your life.

-There are reasons why you not run rio in your lib/profile. For me the main reason would be: You can no

-longer use commandsrcpu-c in your shell. Rio opens and there you are, stuck in front of a gray back-

-ground.

-My solution:

- case cpu

- # … lots of stuff …

- rcpucmd=`{cat /mnt/term/env/cmd &gt;[2]/dev/null}

- if(~ $#rcpucmd 0)

- rio

- # … lots of stuff …

-Now I can rcpu and have my rio, or rcpu -c command and run the command without leaving my shell.

+	<content type="text">

+ lib/profile quick hack

+Some smaller change that can change your life.

+There are reasons why you not run rio in your lib/profile. For me the main reason would be: You can no

+longer use commandsrcpu-c in your shell. Rio opens and there you are, stuck in front of a gray back-

+ground.

+My solution:

+ case cpu

+ # … lots of stuff …

+ rcpucmd=`{cat /mnt/term/env/cmd &gt;[2]/dev/null}

+ if(~ $#rcpucmd 0)

+ rio

+ # … lots of stuff …

+Now I can rcpu and have my rio, or rcpu -c command and run the command without leaving my shell.

 </content>

 </entry>

@@ -109,141 +109,141 @@

 	<id>https://sirjofri.de/changeblog/1594881674/</id>

 	<link href="https://sirjofri.de/changeblog/1594881674/"/>

 	<updated>2020-07-16T08:41:14+02:00</updated>

-	<content type="text">

- Mail Server Configuration

-Recently I installed my mail server on 9front. Most of the time I followed the guide in the FQA, but still

-there are things to explain. In this document I'll go through the section of the FQA and annotate things.

-Right at the beginning the FQA mentions how the executing user needs write permissions for the mail-

-boxes. This is If upas can't write the mailboxes the mail server will not accept incoming mail!

-In my setup I can skip all DNS stuff, because I have my DNS hosted somewhere else. Make sure to add

-proper MX records as well as (at least) an SPF record.

-/mail/lib/smtpd.conf

-To make things short, here are the necessary lines in my setup. The server handles authenticated incoming

-mail for sending to other providers as well as incoming mail for local accounts.

- defaultdomain sirjofri.de

- norelay on

- verifysenderdom on

- saveblockedmsg off

- ourdomains sirjofri.de

-Note that the server is no relay for unauthenticated/untrusted requests, it will still relay if you authenticate.

-At this point it might be a good idea to check your user password. Use auth/changeuser to add

-Inferno/POP secrets to your user accounts. Use these passwords to authenticate to the smtp server.

-/mail/lib/rewrite

-The program that handles sending mail uses this file to rewrite mail addresses. This file is responsible for

-filtering out local mail as well as sending other mails to the mailer.

-In my setup I added three aliases:

- pOsTmAsTeR alias postmaster

- aBuSe alias abuse

- wEbMaStEr alias webmaster

-Use regular expressions to define your domain:

- \l!(.*) alias \1

- \l\.sirjofri.de!(.*) alias \1

- sirjofri.de!(.*) alias \1

-For translating mails I added one more rule for mail address tags. These tags are in the form of

-user+tag@example.com. Official specifications say that everything behind that “+” must be ignored, but it

-can be used to automatically sort incoming mail into folders. I do this, by the way, so I describe here, how.

-We need rules for those plus signs:

- \"(.+)\+(.*)\" translate "echo `{/bin/upas/aliasmail '\1'}^'+\2'"

- # The other translate rules are default

-For delivering local mails, I added extra rules:

- local!(.+)\+(.+) | "/bin/test -d /mail/box/\1/\2 \&amp;\&amp;

- /bin/upas/mbappend /mail/box/\1/\2 || /bin/upas/mbappend

- /mail/box/\1/mbox"

- local!"(.+)+(.+) | "/bin/test -d /mail/box/\1/\2 \&amp;\&amp;

- - 2 -

- /bin/upas/mbappend /mail/box/\1/\2 || /bin/upas/mbappend

- /mail/box/\1/mbox"

- # leave the other rules untouched.

-With this settings, mails to user+tag will be checked. If a mailbox folder for tag exists, mail is sent to this

-folder. Otherwise it is sent to the user's default inbox. Note: I tested, but this does not work with aliased

-mail. If my aliasmail changes userA to userB, mails to userA+tag will be rejected! If you know how I can

-make this work, feel free to send me a mail.

-/mail/lib/names.local

-This file is pretty easy. Just add your alias mail addresses:

- postmaster sirjofri

- webmaster sirjofri

- abuse sirjofri

-/mail/lib/remotemail

- #!/bin/rc

- shift

- sender=$1

- shift

- addr=$1

- shift

- fd=`{/bin/upas/aliasmail -f $sender}

- switch($fd){

- case *.*

- ;

- case *

- fd=sirjofri.de

- }

- exec /bin/upas/smtp -h $fd $addr $sender $*

-SMTP over TLS

-I don't use port 587. I use 25 for this. Mail servers relay mails to this port by default, so it makes sense.

-/rc/bin/service/tcp25

- #!/bin/rc

- user=`{cat /dev/user}

- exec /bin/upas/smtpd -f -E -r -c /sys/lib/tls/cert -n $3

-Don't forget to create your TLS certificate!

-IMAP4 over TLS

-I did this exactly like the FQA. See there.

-No.

-At this point I stopped. I did not configure ratfs and have no spam handling right now. It doesn't really mat-

-ter for me, because nobody knows me and I don't use that mail address to register anywhere.

-Links:

-→ https://fqa.9front.org/fqa7.html#7.7

+	<content type="text">

+ Mail Server Configuration

+Recently I installed my mail server on 9front. Most of the time I followed the guide in the FQA, but still

+there are things to explain. In this document I'll go through the section of the FQA and annotate things.

+Right at the beginning the FQA mentions how the executing user needs write permissions for the mail-

+boxes. This is If upas can't write the mailboxes the mail server will not accept incoming mail!

+In my setup I can skip all DNS stuff, because I have my DNS hosted somewhere else. Make sure to add

+proper MX records as well as (at least) an SPF record.

+/mail/lib/smtpd.conf

+To make things short, here are the necessary lines in my setup. The server handles authenticated incoming

+mail for sending to other providers as well as incoming mail for local accounts.

+ defaultdomain sirjofri.de

+ norelay on

+ verifysenderdom on

+ saveblockedmsg off

+ ourdomains sirjofri.de

+Note that the server is no relay for unauthenticated/untrusted requests, it will still relay if you authenticate.

+At this point it might be a good idea to check your user password. Use auth/changeuser to add

+Inferno/POP secrets to your user accounts. Use these passwords to authenticate to the smtp server.

+/mail/lib/rewrite

+The program that handles sending mail uses this file to rewrite mail addresses. This file is responsible for

+filtering out local mail as well as sending other mails to the mailer.

+In my setup I added three aliases:

+ pOsTmAsTeR alias postmaster

+ aBuSe alias abuse

+ wEbMaStEr alias webmaster

+Use regular expressions to define your domain:

+ \l!(.*) alias \1

+ \l\.sirjofri.de!(.*) alias \1

+ sirjofri.de!(.*) alias \1

+For translating mails I added one more rule for mail address tags. These tags are in the form of

+user+tag@example.com. Official specifications say that everything behind that “+” must be ignored, but it

+can be used to automatically sort incoming mail into folders. I do this, by the way, so I describe here, how.

+We need rules for those plus signs:

+ \"(.+)\+(.*)\" translate "echo `{/bin/upas/aliasmail '\1'}^'+\2'"

+ # The other translate rules are default

+For delivering local mails, I added extra rules:

+ local!(.+)\+(.+) | "/bin/test -d /mail/box/\1/\2 \&amp;\&amp;

+ /bin/upas/mbappend /mail/box/\1/\2 || /bin/upas/mbappend

+ /mail/box/\1/mbox"

+ local!"(.+)+(.+) | "/bin/test -d /mail/box/\1/\2 \&amp;\&amp;

+ - 2 -

+ /bin/upas/mbappend /mail/box/\1/\2 || /bin/upas/mbappend

+ /mail/box/\1/mbox"

+ # leave the other rules untouched.

+With this settings, mails to user+tag will be checked. If a mailbox folder for tag exists, mail is sent to this

+folder. Otherwise it is sent to the user's default inbox. Note: I tested, but this does not work with aliased

+mail. If my aliasmail changes userA to userB, mails to userA+tag will be rejected! If you know how I can

+make this work, feel free to send me a mail.

+/mail/lib/names.local

+This file is pretty easy. Just add your alias mail addresses:

+ postmaster sirjofri

+ webmaster sirjofri

+ abuse sirjofri

+/mail/lib/remotemail

+ #!/bin/rc

+ shift

+ sender=$1

+ shift

+ addr=$1

+ shift

+ fd=`{/bin/upas/aliasmail -f $sender}

+ switch($fd){

+ case *.*

+ ;

+ case *

+ fd=sirjofri.de

+ }

+ exec /bin/upas/smtp -h $fd $addr $sender $*

+SMTP over TLS

+I don't use port 587. I use 25 for this. Mail servers relay mails to this port by default, so it makes sense.

+/rc/bin/service/tcp25

+ #!/bin/rc

+ user=`{cat /dev/user}

+ exec /bin/upas/smtpd -f -E -r -c /sys/lib/tls/cert -n $3

+Don't forget to create your TLS certificate!

+IMAP4 over TLS

+I did this exactly like the FQA. See there.

+No.

+At this point I stopped. I did not configure ratfs and have no spam handling right now. It doesn't really mat-

+ter for me, because nobody knows me and I don't use that mail address to register anywhere.

+Links:

+→ https://fqa.9front.org/fqa7.html#7.7

 </content>

 </entry>

@@ -252,42 +252,42 @@

 	<id>https://sirjofri.de/changeblog/1593621046/</id>

 	<link href="https://sirjofri.de/changeblog/1593621046/"/>

 	<updated>2020-07-01T18:30:46+02:00</updated>

-	<content type="text">

- Guided Replica

-Today I installed on my VPS. I noticed that I can write some helper scripts around it and here they are.

-You can download them from https://sirjofri.de/files/guidedreplica.

-You can install it like that:

-# bind your client $home to /n/rclient

-# bind your server $home to /n/rserver

-hget https://sirjofri.de/files/guidedreplica/guidedreplica.rc | rc

-# follow the prompts

-This will also install two helper scripts to $home/bin/rc/replica/. Reproto copies one proto over

-the other. You can choose which one you want to keep. Reupdate is helpful if there are update-update

-errors. It should automatically solve them (untested, but should work).

-Update: has issues. Often it does a bad job tracking changes, leaving removed files there and vice versa. I

-never encountered data loss, only inconsistencies in the copies.

-Many people use which does not overwrite changed files. At some point I will build some scripts around it

-and use that instead of

-(Files: https://sirjofri.de/files/guidedreplica/README

-https://sirjofri.de/files/guidedreplica/guidedreplica.rc)

+	<content type="text">

+ Guided Replica

+Today I installed on my VPS. I noticed that I can write some helper scripts around it and here they are.

+You can download them from https://sirjofri.de/files/guidedreplica.

+You can install it like that:

+# bind your client $home to /n/rclient

+# bind your server $home to /n/rserver

+hget https://sirjofri.de/files/guidedreplica/guidedreplica.rc | rc

+# follow the prompts

+This will also install two helper scripts to $home/bin/rc/replica/. Reproto copies one proto over

+the other. You can choose which one you want to keep. Reupdate is helpful if there are update-update

+errors. It should automatically solve them (untested, but should work).

+Update: has issues. Often it does a bad job tracking changes, leaving removed files there and vice versa. I

+never encountered data loss, only inconsistencies in the copies.

+Many people use which does not overwrite changed files. At some point I will build some scripts around it

+and use that instead of

+(Files: https://sirjofri.de/files/guidedreplica/README

+https://sirjofri.de/files/guidedreplica/guidedreplica.rc)

 </content>

 </entry>

@@ -296,44 +296,44 @@

 	<id>https://sirjofri.de/changeblog/1593448779/</id>

 	<link href="https://sirjofri.de/changeblog/1593448779/"/>

 	<updated>2020-06-29T18:39:39+02:00</updated>

-	<content type="text">

- 9front on Netcup VPS

-Today I installed 9front on a Netcup VPS. Here are some notes if you want to do it yourself.

-I used the smallest VPS option. Currently, that's “VPS 200 G8”. It costs like 2.69 Euro, but you might be

-able to find some way to make it cheaper.

-After ordering it might take some time until the server is up and ready. By default debian was installed in a

-GPT, we can ignore that.

-Before we can install our custom ISO we first must upload it somewhere. This is done via FTP (you get the

-access data from the SCP), I used windows default file explorer (ftp://user@address, enter password). Copy

-the 9front ISO in /cdrom. This will take some time.

-Meanwhile you can delete the virtual disk and create a new one. You need your SCP password for this.

-This step is necessary to remove the GPT. Of course you could manually reformat the disk, but deleting the

-disk will save time.

-In the settings you can virtually insert the iso as a DVD and verify the boot order (DVD first). Start up the

-machine and switch to the web VNC display.

-At this point you can proceed with the default 9front installation described in the fqa. Don't forget to

-install the MBR and activate the partition. Otherwise there are no additional special steps besides manually

-configuring the /lib/ndb/local after installation. In my case I made an auth server.

-Currently it seems to work fine. I installed the machine today, so there might be some issues I didn't find

-yet.

+	<content type="text">

+ 9front on Netcup VPS

+Today I installed 9front on a Netcup VPS. Here are some notes if you want to do it yourself.

+I used the smallest VPS option. Currently, that's “VPS 200 G8”. It costs like 2.69 Euro, but you might be

+able to find some way to make it cheaper.

+After ordering it might take some time until the server is up and ready. By default debian was installed in a

+GPT, we can ignore that.

+Before we can install our custom ISO we first must upload it somewhere. This is done via FTP (you get the

+access data from the SCP), I used windows default file explorer (ftp://user@address, enter password). Copy

+the 9front ISO in /cdrom. This will take some time.

+Meanwhile you can delete the virtual disk and create a new one. You need your SCP password for this.

+This step is necessary to remove the GPT. Of course you could manually reformat the disk, but deleting the

+disk will save time.

+In the settings you can virtually insert the iso as a DVD and verify the boot order (DVD first). Start up the

+machine and switch to the web VNC display.

+At this point you can proceed with the default 9front installation described in the fqa. Don't forget to

+install the MBR and activate the partition. Otherwise there are no additional special steps besides manually

+configuring the /lib/ndb/local after installation. In my case I made an auth server.

+Currently it seems to work fine. I installed the machine today, so there might be some issues I didn't find

+yet.

 </content>

 </entry>

@@ -342,27 +342,27 @@

 	<id>https://sirjofri.de/changeblog/1592917245/</id>

 	<link href="https://sirjofri.de/changeblog/1592917245/"/>

 	<updated>2020-06-23T15:00:45+02:00</updated>

-	<content type="text">

- changeblog feed — social media²

-RSS is still a thing.

-Yes, there are more modern alternatives, like Atom or fancy json feeds. What I want to say is, feeds are still

-a thing.

-That's why you are now able to read my changeblog as an Atom feed.

-Now I just need to find enough time to write my posts.

+	<content type="text">

+ changeblog feed — social media²

+RSS is still a thing.

+Yes, there are more modern alternatives, like Atom or fancy json feeds. What I want to say is, feeds are still

+a thing.

+That's why you are now able to read my changeblog as an Atom feed.

+Now I just need to find enough time to write my posts.

 </content>

 </entry>

@@ -371,36 +371,36 @@

 	<id>https://sirjofri.de/changeblog/1590105600/</id>

 	<link href="https://sirjofri.de/changeblog/1590105600/"/>

 	<updated>2020-05-22T02:00:00+02:00</updated>

-	<content type="text">

- I use 9front

-Today I want to share with you, that I use the plan9 distribution '9front' as my main computer.

-Of course there are things that are almost impossible to do there, for example: all gamedev related stuff.

-This is of course an issue, because I am a game developer. I still have my windows machine with relevant

-tools, so I can still fiddle around with those complex things.

-For gaming I also use my windows machine or some game console. Yes, there are a few games on plan9

-systems.

-Also most online services use javascript and heavy styling of webpages, so I also use a modern computer

-with a modern browser. Mothra is fine for doing basic research stuff, but in 2020 it's almost impossible to

-actually do things on the web.

-Anyways, let me tell you that I don't really miss anything on plan9. I can write documents, check my email

-stuff, chat with people, and step by step it becomes more usable. The community is helpful and provides

-more applications. The system runs stable, the user interface is consistent and good to look at. Colors don't

-jump in your eye and want to kill you and there's catclock(1), our friendly companion.

+	<content type="text">

+ I use 9front

+Today I want to share with you, that I use the plan9 distribution '9front' as my main computer.

+Of course there are things that are almost impossible to do there, for example: all gamedev related stuff.

+This is of course an issue, because I am a game developer. I still have my windows machine with relevant

+tools, so I can still fiddle around with those complex things.

+For gaming I also use my windows machine or some game console. Yes, there are a few games on plan9

+systems.

+Also most online services use javascript and heavy styling of webpages, so I also use a modern computer

+with a modern browser. Mothra is fine for doing basic research stuff, but in 2020 it's almost impossible to

+actually do things on the web.

+Anyways, let me tell you that I don't really miss anything on plan9. I can write documents, check my email

+stuff, chat with people, and step by step it becomes more usable. The community is helpful and provides

+more applications. The system runs stable, the user interface is consistent and good to look at. Colors don't

+jump in your eye and want to kill you and there's catclock(1), our friendly companion.

 </content>

 </entry>

@@ -409,26 +409,26 @@

 	<id>https://sirjofri.de/changeblog/1578614400/</id>

 	<link href="https://sirjofri.de/changeblog/1578614400/"/>

 	<updated>2020-01-10T01:00:00+01:00</updated>

-	<content type="text">

- Revived

-I updated my website to Uberspace 7, but not only this: I changed the whole webpage to make it more

-nine-friendly.

-My whole webpage management system is completely 9 based. I use oridb's git9 implementation and plan9

-tools, mk, sed, cat, …

-I also decided to change the main language of the website to English.

+	<content type="text">

+ Revived

+I updated my website to Uberspace 7, but not only this: I changed the whole webpage to make it more

+nine-friendly.

+My whole webpage management system is completely 9 based. I use oridb's git9 implementation and plan9

+tools, mk, sed, cat, …

+I also decided to change the main language of the website to English.

 </content>

 </entry>

shithub: sirjofri_de